Covid-19 has introduced a lot of physical health and safety risks to everyday occurrences. To stay safe while still being able to go out restaurants are using QR codes to access digital menus, to avoid a passing germ-covered menu from person to person.
Quick Response known as QR Codes are black and white barcode-like squares that can be scanned with most smartphone cameras, and trigger a number of actions. At a restaurant QR codes are mostly used to open a link to a menu. This can help avoid the spread of Covid-19, but can open a new security risk.
According to a survey by MobileIron, QR codes are widely used today, with more than one-third of mobile users scanning a QR code at a restaurant, bar, retailer in the last six months. The survey also found that most people don’t understand potential risks of using QR codes. 71% of respondents said they couldn’t tell the difference between a legitimate and malicious QR code.
- Add a contact listing: Hackers can add a new contact listing on the user’s phone and use it to launch a spear phishing or other personalized attack.
- Initiate a phone call: By triggering a call to the scammer, this type of exploit can expose the phone number to a bad actor.
- Text someone: In addition to sending a text message to a malicious recipient, a user’s contacts could also receive a malicious text from a scammer.
- Write an email: Similar to a malicious text, a hacker can draft an email and populate the recipient and subject lines. Hackers could target the user’s work email if the device lacks mobile threat protection.
- Make a payment: If the QR code is malicious, it could allow hackers to automatically send a payment and capture the user’s personal financial data.
- Reveal the user’s location: Malicious software can silently track the user’s geolocation and send this data to an app or website.
- Follow social-media accounts: The user’s social media accounts can be directed to follow a malicious account, which can then expose the user’s personal information and contacts.
- Add a preferred Wi-Fi network: A compromised network can be added to the device’s preferred network list and include a credential that automatically connects the device to that network.
Because QR codes are being widely for easy and physical safety the cyber-threat is real, this can create a lot of security risk. QRLjacking is listed as an attack vector by the Open Web Application Security Project. QRLjacking is attack when someone uses a QR code as a one-time password, displaying it on a screen.
And in a recent Hacker Noon article Natalie Klein pointing wrote,
“It is trivial for a bad actor to replace a QR code at a restaurant table with a malicious code. Using free QR Code software, a hacker could direct users to a website asking them to sign in with Facebook or Gmail. To an ad interstitial, or to download malware. And Many other non-technically advanced phishing and clickjacking scams are possible if someone had access to change the QR code.“
Last year, the creator of the QR code even said that QR codes need security revamp. It’s worth taking the time to as least understand the risks of this new threat vector.
A threat vector that is growing, not only with restaurants but even for checking in at medical clinics. In Southlake, Botox provider Evexias Medical has held off on a QR code system until the better understand the risks.
While coffee shops like Green Truck Cafe cited in the INF article have opted to use designed QR codes that help protect their customers from a hack, by making it easy for staff to validate the codes are unchanged.